Online secure device provisioning framework
First Claim
Patent Images
1. A method for updating network-enabled devices with new identity data, comprising:
- collecting a first identifier for each network-enabled device from a first database and a second identifier for each network-enabled device from a second database;
consolidating into a whitelist the first and second identifiers associated with network-enabled devices that are authorized to be upgraded with new identity data;
generating a plurality of new identity data records;
encrypting the plurality of new identity data records at an identity generation system that is separate from the network-enabled devices using a key previously installed in each respective network-enabled device to produce encrypted new identity data records;
loading the encrypted new identity data records onto an update server;
receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to the first identifier;
authorizing the at least one network-enabled device for the new identity data based on the whitelist;
linking the previously assigned identifier to a new identifier linked to one of the encrypted new identity data records; and
securely delivering one or more encrypted new identity data records to the network-enabled device.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device.
34 Citations
28 Claims
-
1. A method for updating network-enabled devices with new identity data, comprising:
-
collecting a first identifier for each network-enabled device from a first database and a second identifier for each network-enabled device from a second database; consolidating into a whitelist the first and second identifiers associated with network-enabled devices that are authorized to be upgraded with new identity data; generating a plurality of new identity data records; encrypting the plurality of new identity data records at an identity generation system that is separate from the network-enabled devices using a key previously installed in each respective network-enabled device to produce encrypted new identity data records; loading the encrypted new identity data records onto an update server; receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to the first identifier; authorizing the at least one network-enabled device for the new identity data based on the whitelist; linking the previously assigned identifier to a new identifier linked to one of the encrypted new identity data records; and securely delivering one or more encrypted new identity data records to the network-enabled device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An identity management system, comprising:
-
an identity data generator, separate from a plurality of network-enabled devices configured to generate a plurality of new identity data records and encrypt the new identity data records using a key previously installed in each of the plurality of network-enabled devices to produce encrypted new identity data records; a whitelist manager configured to (i) receive two or more identifiers associated with each of the plurality of network-enabled devices deployed for use in association with a network, the two or more identifiers received from different entities, an identifier associated with a first encryption type being received from a first entity indicating that the network-enabled device associated with the identifier is authorized to receive new identity data and (ii) produce a whitelist relating the two or more identifiers to each of the network-enabled device that are authorized to receive new identity data, wherein at least one of the identifiers associated with each network-enabled device is a previously assigned identifier; an update server configured to (i) receive the new identity data records from the identity data generator, (ii) receive requests for new identity data from the plurality of network-enabled devices (iii) authenticate each of the network-enabled devices and (iv);
deliver an encrypted new identity data record to each one of the authenticated network-enabled device that are authorized to receive a new identity data record in accordance with the whitelist, said new identity data record being linked to the previously assigned identifier of the authenticated network-enabled device. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. An identity data management system, comprising:
-
two or more databases storing at least two identifiers associated with a plurality of network-enabled devices, a first and second of the two identifiers being identifiers of a first and second encryption type, respectively, a first database of the two or more databases storing the first identifiers, a second database of the two or more databases storing the second identifiers; a whitelist manager for receiving a first set of data specifying one or more of the network-enabled devices that are authorized to be updated with new identity data, wherein the one or more network-enabled devices are identified in the first set of data by identifiers of the first encryption type, wherein the whitelist manager is configured to access the first and second databases to retrieve identifiers of the first and second encryption type which correspond to the identifiers of the first encryption type included in the first set of data and to establish a whitelist that includes corresponding identifiers of the first and second encryption type and to deliver said whitelist to an identity data generator and to an update server; an identity data generator, separate from the plurality of network-enabled devices, configured to generate identity data records that are each identified by an identifier associated with the second encryption type, said generated identity records being generated for network-enabled devices specified on the whitelist received from the whitelist manager, wherein the identity data generator is further configured to associate the identity data records with the whitelist and encrypt the identity data records using a key previously installed in each of the network-enabled devices specified on the whitelist to produce encrypted new identity data records; and an update server configured to receive over a communications network a request for new identity data from a deployed network-enabled device, and, said update server being further configured to send the encrypted new identity data records to the deployed network-enabled devices respectively identified by identifiers of the first encryption type in the whitelist and in data received from the identity data generator. - View Dependent Claims (24, 25)
-
-
26. At least one non-transitory computer-readable medium encoded with instructions which, when executed by a processor, performs a method for updating network-enabled devices with new identity data, each of said network-enabled devices having at least two encryption types of identifiers associated therewith, comprising:
-
receiving over a communications network a plurality of requests for new identity data for a plurality of network-enabled devices, each of said requests including an identifier associated with a second encryption type associated with the network-enabled devices; obtaining an identifier associated with a first encryption type associated with each of the network-enabled devices, said first identifier encryption type being an identifier that is included in identity data with which the network-enabled device is currently provisioned, wherein the network-enabled devices have previously been provisioned with identifiers of the first encryption type by respectively assigning the identifiers of the first encryption type to network-enabled devices that are already identified by identifiers of the second encryption type; receiving new identity data assigned with new identifiers of the second encryption type, wherein each of the new identifiers is matched with a corresponding identifier associated with the first encryption type; encrypting the new identity data at an identity generation system that is separate from the network-enabled devices using a key previously installed in each of the network-enabled devices to produce encrypted new identity data; delivering over the communications network the encrypted new identity data to respective ones of the network-enabled devices in accordance with their respective second identifiers. - View Dependent Claims (27, 28)
-
Specification